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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 


Does the draft guidance cover the relevant issues about the right 


of access? 


x] 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


e Greater clarity is required in regards to when the statutory time limit starts and stops. A 
flowchart or section specifically addressing this with scenarios would help explain this clearly. 


There is not enough detail on how organisations should act when a requestor does not respond 
to a follow-up query. For example, if a requestor makes a subject access request and we query 
the method of sending the information but receive no response from the data subject, is the 
data controller still obligated to send out this request within the statutory timeframe? 


On page 27 where it states: 


“Similarly, if you process data from a range of data sources, including unstructured 
data, this can pose difficulties when producing all of the data you hold on one individual. 
This can be further complicated if you make use of observed data or inferred data — 
data that an individual has not provided to you directly. For example, if you generate 
insights about an individual’s behaviour based on their use of your service, where this 
data is identified or identifiable (directly or indirectly) then it is personal data and subject 
to the right of access.” 


This is not sufficiently clear and does not address a situation where a data subject requests for 
all data which may directly or indirectly reference them, even if not by name. A clear 
example/scenario would be useful. 


Q3 Does the draft guidance contain enough examples? 


x! Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, please provide any examples that you 
think should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Our organisation receives a number HR-related subject access requests and usually in the run up to 
an employee relations case. Follow-up requests are also common. It is clear that the employee is 
looking for evidence within the content of the disclosure to help their case. We would define this as 
being manifestly unfounded if we feel the original disclosure of information was complete and 


comprehensive. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 


Q6 Why have you given this score? 


It clarifies a number of areas such as the level of ID that should be requested when logging a request 
and includes a wide variety of examples in relation to “manifestly unfounded or excessive” subject 
access requests. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
0O 0O 0O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


One of the issues we come across in the team is a matter that is putting our actual team at risk. Due to 
the nature of our organisation, some of our data subjects can be aggressive and will at times not react 
well to decisions we have made about their records (even after the completion of a Serious Harm 

Test). The guidance focuses solely on the rights of the data subject and ignores instances where staff 


members may be at risk due to aggressive data subjects. For example, data subjects showing up to 
our building demanding a follow up etc. An exemption in the cases of the SAR Officers feeling unsafe 
or not comfortable interacting with certain data subjects will not fall under the current exemptions of 
‘manifestly unfounded’ or ‘excessive’. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


West London NHS Trust 


What sector are you from: 


Healthcare 


Q10 How did you find out about this survey? 


O ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


OOOOUmMOOoOoUd 


Thank you for taking the time to complete the survey. 


